Since the invention of the computer, companies have invested in myriad solutions with the universal intent of protecting their servers by keeping hackers out.
But as Sony, Yahoo! the Democratic National Committee and countless others have learned, not only is that difficult, it may even be impossible.
The team running encryption startup PreVeil takes an entirely different approach to cybersecurity. They assume that all servers will eventually get hacked and focus instead on protecting data in spite of such breaches.
The result is an end-to-end encryption service that makes the data in servers unreadable and thus useless to hackers. Information is only decrypted once it reaches a user’s device, which has a unique key that automatically makes it accessible; no passwords required.
People with superuser privileges—another traditional target for hackers— are also protected with a system the company calls Approval Groups. The patent-pending Approval Group system ensures that privileged activities, such as access to certain private information, can only be enabled after receiving cryptographic approval from a group of predetermined IT administrators or leaders. No single administrator can compromise an entire organization.
With an email service in beta and a file sharing service on the way, PreVeil hopes to push individuals and companies into a new, distributed and secure age of cybersecurity.
“Today the server is the central point of everything, it has all of the information and does all of the work,” PreVeil co-founder Sanjeev Verma says. “In the tomorrow we’re trying to bring about, the server is still a repository, but it never has access to the data or the keys that decrypt that data. There should never be a central point of attack to compromise an entire system. The big change we’re trying to bring about is that you can’t attack one person or server to get to all of the people in a system.”
You might be assuming Verma and Randy Battat are security industry lifers and the PreVeil solution is the culmination of a career’s work in encryption. Actually, as recently as four years ago, the founders admit they knew “squat” about cybersecurity.
Verma and Battat earned engineering degrees in the 1980’s, but since then their careers have been about as business-oriented as you can get. The two first met in 1997 while working at Motorola before teaming up to build wireless networking company Airvana into one of the largest providers of 3G broadband infrastructure in the world.
“Airvana was a good ride, it had a good financial outcome, but I think CEOs have about a ten year half-life. After that they start to decompose, and I was feeling that,” Battat says. “The industry just wasn’t as exciting anymore and I knew it was time to move on. But neither of us had any desire to retire. We just wanted to do something interesting again.”
Verma and Battat left Airvana in 2013 and 2014, respectively, and set out to immerse themselves in the cybersecurity industry in hopes of finding an idea or technology to commercialize.
In 2014 Verma, who’d received his MBA from MIT’s Sloan School of Management, began talking with MIT Associate Professor of Computer Science Nickolai Zeldovich. Zeldovich educated Verma on cybersecurity standards and pointed him to a brilliant doctoral thesis paper that had recently been submitted by then-PhD student Raluca Ada Popa.
“The research paper assumed that even the best protected systems are going to get breached and asked ‘If they get breached, can we protect the information on the servers?’” Verma explains. “The answer to that was using end-to-end encryption, so we built on that basic premise for PreVeil.”
Raluca, who is currently a professor at UC Berkeley’s College of Engineering, didn’t quite know what to make of the two cybersecurity newbies eager to build on her paper, but after what Battat remembers as “weeks and weeks of questions," she decided to join the venture.
Zeldovich took a sabbatical in 2015, completing the formation of the core PreVeil team, and the majority of the year was spent building on the security systems Raluca had described in her thesis.
With product development underway, Verma and Battat were able to get back to channeling their business instincts. The first thing they invested in was a user interface designer. Then they met with dozens of CIOs and IT administrators, using screenshots from their initial design to demonstrate the system.
“We hit the road just trying to figure out if we were on to something, because we hadn’t been in this industry for very long,” Battat says. “We got a lot of good feedback as we were building the company.”
That feedback taught the team the importance of making the system easy to use.
“The vast majority of emails and messages contain sensitive information in a business context, but none of it ever gets encrypted because it’s a pain in the butt,” Battat says. “Our thesis is if we can make encryption super easy to use, make it almost disappear, then we’ll go from almost nothing being encrypted to almost everything.”
To get started with the email solution today, users download the free PreVeil software or app (for mobile devices) and create an account using their preferred email address. They can then access their secure email through the PreVeil app, a web browser or a mail client such as Microsoft Outlook or Apple Mail and send encrypted messages to other PreVeil users.
“Our solution is simple because you can keep your email address,” Verma says. “If you want to install our software with something like Microsoft Outlook, it just adds another mailbox in your email. Then anything you send and receive through this new box is encrypted, so the user doesn’t really have to think about encryption, they just know using that mailbox makes things secure.”
The company’s Dropbox-like file sharing service, which will be available in the next few months, will be similarly easy to install and use. Although the founders stress they’re taking their time growing out the business and holding off on raising funding for now.
Although anyone can use PreVeil, the team is targeting businesses with large amounts of outside communication because that’s traditionally been difficult data to protect.
“You can have an IT guy design encryption within a business, but when you’re working with customers, suppliers or business partners, that’s much harder to secure,” Battat says. “PreVeil is uniquely qualified to solve that kind of problem.”
Verma says well over 100 companies are already using PreVeil’s email solution, and the team is hoping to transform the cybersecurity industry one user at a time so that decentralized, end-to-end encryption becomes the norm.
“Ideally it will spread throughout an organization, and then people will love it so much they’ll use PreVeil for everything they’re doing,” Verma says. “Our approach is a big change from what’s happening today. We’re really trying to foment a revolution.”
Images courtesy of PreVeil.